b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                       Lack of Proper IRS Oversight of the\n                      Department of the Treasury HSPD-12\n                     Initiative Resulted in Misuse of Federal\n                              Government Resources\n\n\n\n                                       December 14, 2007\n\n                              Reference Number: 2008-20-030\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 3(a) = Identifying Information - Name of an Individual or Individuals\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                        WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                               December 14, 2007\n\n\n MEMORANDUM FOR ACTING COMMISSIONER\n\n FROM:                         Michael R. Phillips\n                               Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 Lack of Proper IRS Oversight of the Department\n                               of the Treasury HSPD-12 Initiative Resulted in Misuse of Federal\n                               Government Resources (Audit # 200720034)\n\n This report presents the results of our review to assess prior Homeland Security Presidential\n Directive-12 (HSPD-12)1 program management activities and provide Internal Revenue Service\n (IRS) executives with an independent perspective to assist them in future implementation of the\n HSPD-12 program.2\n This report presents the results of our second audit of HSPD-12. The IRS has been designated as\n the lead bureau for ensuring the Department of the Treasury (the Treasury) complies with the\n Directive. In our first review,3 we reported that the IRS was at risk of wasting taxpayer funds\n because the Treasury was developing its own system for issuing the cards rather than joining\n other agencies that had already incurred much of the upfront costs associated with this effort.\n\n Impact on the Taxpayer\n The total estimated cost to build and maintain an HSPD-12 system for the Treasury is\n $421 million over 14 years. As the lead bureau for the Treasury, the IRS is charged with\n ensuring the funds are spent prudently. The IRS estimated it had obligated $30 million as of\n June 2007. However, $3.5 million was spent on acquisitions that should have been avoided. In\n\n\n 1\n   Policy for a Common Identification Standard for Federal Employees and Contractors (signed by President Bush\n on August 27, 2004). This Directive requires all Federal Government agencies to meet standards for issuing\n identification badges that will be used for entering Federal Government facilities and accessing computer systems.\n 2\n   Also referred to as \xe2\x80\x9cthe program\xe2\x80\x9d in this report.\n 3\n   Progress Has Been Slow in Meeting Homeland Security Presidential Directive-12 Requirements (Reference\n Number 2007-20-110, dated June 20, 2007).\n\x0c                   Lack of Proper IRS Oversight of the Department of the Treasury\n                    HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                             Resources\n\n\naddition, the IRS did not administer contracts effectively and could not provide documentation to\nsupport the actual costs charged to the HSPD-12 program. Oversight of the program was\nhindered because the IRS, on advice from the Treasury, did not prepare a formal business case4\nfor the program. As a result, taxpayers could have little confidence their funds were being used\neffectively during the early stages of this initiative.\n\nSynopsis\nTo implement HSPD-12, the IRS initially established an integrated project team to lead its\nefforts. In September 2005, the IRS replaced the project team by formally establishing an\nHSPD-12 Program Management Office (PMO). In January 2006, the IRS Commissioner\nvolunteered the IRS to lead the Treasury HSPD-12 program efforts and to deliver a\nDepartmentwide solution. The Treasury agreed and, in March 2006, the IRS assumed leadership\nof the Treasury HSPD-12 PMO.\nThe integrated project team, and later the PMO, did not effectively manage the contracts for the\nHSPD-12 program. Statements of work were too general to hold contractors accountable for\nwork performed, and the IRS paid contractors without verifying work was performed. The IRS\ncould not provide supporting documentation for the actual costs spent on the program, and we\nfound that at least $3.5 million was spent on unneeded hardware, software, and services. The\nfollowing specific costs could have been avoided:\n    \xe2\x80\xa2    $1,940,397 spent to purchase 350,000 Public Key Infrastructure5 certificates in March\n         and September 2005.\n    \xe2\x80\xa2    $837,616 spent to purchase 18 Public Key Infrastructure servers in September 2005 that\n         were never used for the program.\n    \xe2\x80\xa2    $431,035 spent to establish an identification badge laboratory to create a test environment\n         for issuing HSPD-12 identification badges.\n    \xe2\x80\xa2    $91,618 spent to reimburse the General Services Administration for preparing a Request\n         for Procurement for acquiring another contractor\xe2\x80\x99s services.\n    \xe2\x80\xa2    $188,160 paid to a contractor for 1 person to perform clerical duties over an 11-month\n         period.\nIn addition, the IRS did not follow its established governance procedures for overseeing the\nHSPD-12 program because it did not prepare a formal business case for the program. An\n\n4\n  The IRS uses a business case as the primary tool for capital planning and investment control. The business case\nprovides a standard format for reporting key details about the investment.\n5\n  Public Key Infrastructure is an encryption system of digital certificates from authorities that verify and authenticate\nthe validity of each party involved in an electronic transaction.\n                                                                                                                       2\n\x0c\x0c                Lack of Proper IRS Oversight of the Department of the Treasury\n                 HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                          Resources\n\n\ninvoices before payments are made to contractors; and assigning planned costs, including labor\nhours, to project tasks to support all HSPD-12 program costs. The IRS will coordinate with the\nTreasury to evaluate the possibility of combining Public Key Infrastructure efforts with those of\nthe General Services Administration. In addition, the IRS will strengthen the responsibilities of\nthe executive steering committees and ensure project reporting templates, used by projects at the\nassigned governance board, are updated to reflect project status and compliance with the\nEnterprise Life Cycle. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix VII.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                4\n\x0c                      Lack of Proper IRS Oversight of the Department of the Treasury\n                       HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                                Resources\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          The Program Management Office Did Not Adequately Safeguard\n          the Financial Interests of the Federal Government .......................................Page 4\n                    Recommendations 1 through 4:.........................................Page 9\n\n          The Internal Revenue Service Governance Process Over the HSPD-12\n          Program Was Ineffective ..............................................................................Page 10\n                    Recommendation 5:........................................................Page 13\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 17\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 18\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................Page 19\n          Appendix V \xe2\x80\x93 Enterprise Life Cycle Overview............................................Page 21\n          Appendix VI \xe2\x80\x93 Participants Involved in Oversight of the Department\n          of the Treasury HSPD-12 Initiative ..............................................................Page 24\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report.....................Page 26\n\x0c          Lack of Proper IRS Oversight of the Department of the Treasury\n           HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                    Resources\n\n\n\n\n                          Abbreviations\n\nGSA                 General Services Administration\nHSPD-12             Homeland Security Presidential Directive-12\nIRS                 Internal Revenue Service\nPKI                 Public Key Infrastructure\nPMO                 Program Management Office\n\x0c                      Lack of Proper IRS Oversight of the Department of the Treasury\n                       HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                                Resources\n\n\n\n\n                                                 Background\n\nOn August 27, 2004, President Bush signed Homeland Security Presidential Directive-12\n(HSPD-12), Policy for a Common Identification Standard for Federal Employees and\nContractors. This Directive established a new standard for issuing and processing Federal\nGovernment identification badges for entering Federal Government facilities and accessing\ncomputer systems. The Office of Management and Budget, which is responsible for overseeing\nimplementation of the Directive, established the following deadlines for Federal Government\nagencies:\n       \xe2\x80\xa2   October 27, 2005 \xe2\x80\x93 Agencies must develop procedures for registering employees, issuing\n           cards, and maintaining a card system.\n       \xe2\x80\xa2   October 27, 2006 \xe2\x80\x93 Agencies must demonstrate their ability to issue an identification card\n           to a new employee.\n       \xe2\x80\xa2   October 27, 2007 \xe2\x80\x93 Agencies must verify and/or complete background investigations and\n           issue identification cards for all employees with fewer than 15 years of service.\n       \xe2\x80\xa2   October 27, 2008 \xe2\x80\x93 Agencies must verify and/or complete background investigations and\n           issue identification cards for employees with 15 or more years of service.\nTo implement HSPD-12, the Internal Revenue Service (IRS) initially established an integrated\nproject team to lead its efforts. However, the leadership and responsibilities of the program have\nchanged significantly over the past 3 fiscal years. Figure 1 provides a historical perspective on\nthe designation of HSPD-12 program1 management oversight responsibilities.\n\n\n\n\n1\n    Also referred to as \xe2\x80\x9cthe program\xe2\x80\x9d in this report.\n                                                                                              Page 1\n\x0c                   Lack of Proper IRS Oversight of the Department of the Treasury\n                    HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                             Resources\n\n\n\n       Figure 1: Timeline of the HSPD-12 Program Management Office (PMO)\n       First Quarter of Fiscal   The IRS established an integrated project team to lead the HSPD-12 project.\n             Year 2005           The Modernization and Information Technology Services organization managed\n                                 the project during this period.\n         September 2005          The IRS established the HSPD-12 PMO and designated the Mission Assurance\n                                 and Security Services organization to assume sole leadership of the program\n                                 efforts.\n           January 2006          The IRS Commissioner volunteered the IRS to lead the Department of the\n                                 Treasury (the Treasury) HSPD-12 program efforts and to deliver a\n                                 Departmentwide solution.\n            March 2006           The Treasury designated the IRS to assume leadership of its HSPD-12 initiative.\n            March 2006           The Treasury HSPD-12 Executive Steering Committee was established to\n                                 provide executive-level oversight and support of HSPD-12 implementation\n                                 across the entire Department.\n             May 2006            The Treasury Bureau Advisory Board was created to serve as the primary\n                                 coordination body for the Treasury and its bureaus on matters related to\n                                 HSPD-12 planning and implementation.\n             May 2007            The IRS replaced the Program Manager and designated the Agency-Wide\n                                 Shared Services organization as the lead organization for the Treasury\n                                 HSPD-12 initiative.\n   Source: Interviews with IRS officials.\n\nThe PMO must complete a significant amount of work to comply with the Directive and obtain\nidentification cards for approximately 150,000 employees who work in the Treasury. The PMO\nis led by a Program Manager and the scope of its work includes:\n   \xe2\x80\xa2    Enrollment \xe2\x80\x93 Employees must be fingerprinted and photographed, and their identities\n        must be verified.\n   \xe2\x80\xa2    Card Printing and Finalization \xe2\x80\x93 The identification cards must be encoded and printed\n        to comply with all HSPD-12 standards, including the encryption of personal data on the\n        cards. Each card is printed with an employee\xe2\x80\x99s photograph and other identifiable\n        information.\n   \xe2\x80\xa2    Systems Infrastructure \xe2\x80\x93 The identification cards will provide controls over employees\xe2\x80\x99\n        access to buildings and eventually be programmed to provide controls over employees\xe2\x80\x99\n        access to computer systems. The Treasury will have to develop and maintain a data store\n        of employee information, such as where they work and what facilities and computer\n        systems they are allowed to access.\n   \xe2\x80\xa2    Card Maintenance \xe2\x80\x93 Identification cards must be updated when employees\xe2\x80\x99\n        responsibilities and access needs change.\n\n\n\n\n                                                                                                            Page 2\n\x0c                  Lack of Proper IRS Oversight of the Department of the Treasury\n                   HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                            Resources\n\n\n\nOur first audit of HSPD-122 determined the PMO was experiencing delays in meeting the Office\nof Management and Budget milestones. The PMO was planning to produce its own\nidentification cards instead of taking advantage of the General Service Administration\xe2\x80\x99s (GSA)\nshared services provider, which was being offered to all Federal Government agencies at a low\ncost due to the economies of scale. Despite assigning 68 employees to the Treasury HSPD-12\neffort, the PMO had not yet purchased the hardware and software necessary to produce the\nidentification cards and did not expect to complete the program until September 2010, 2 years\nafter the Office of Management and Budget\xe2\x80\x99s mandated deadline. We recommended the IRS\nconsider the benefits of using the GSA shared services provider, coordinate with the GSA to\nresolve concerns, and customize the GSA solution to meet the Treasury\xe2\x80\x99s needs. The IRS agreed\nwith our recommendation and now intends to use the GSA shared services provider to the fullest\nextent possible.\nWe conducted this followup review to assess prior HSPD-12 program management activities and\nprovide IRS executives with an independent perspective to assist them in future implementation\nof the program. This review was performed at the IRS National Headquarters in\nNew Carrollton, Maryland, in the Agency-Wide Shared Services organization during the period\nJune through September 2007; it focused on activities occurring from the beginning of the\nprogram through May 2007. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n2\n Progress Has Been Slow in Meeting Homeland Security Presidential Directive-12 Requirements (Reference\nNumber 2007-20-110, dated June 20, 2007).\n                                                                                                     Page 3\n\x0c                    Lack of Proper IRS Oversight of the Department of the Treasury\n                     HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                              Resources\n\n\n\n\n                                        Results of Review\n\nThe Program Management Office Did Not Adequately Safeguard the\nFinancial Interests of the Federal Government\nThe total estimated cost to build and maintain an HSPD-12 system for the Treasury is\n$421 million over 14 years. The IRS advised us that, as of June 2007, it had obligated\napproximately $30 million. However, the IRS spent at least $3.5 million of these funds on\nacquisitions that should have been avoided. In addition, it did not administer contracts\neffectively and could not provide documentation to support planned or actual costs attributable to\nthe HSPD-12 program.\n\nHSPD-12 program funds were used to purchase unneeded hardware, software,\nand services\nThe IRS HSPD-12 integrated project team made several unnecessary purchases in Fiscal\nYear 2005. The following costs could have been avoided.\n    \xe2\x80\xa2    $1,940,397 spent to purchase 350,000 Public Key Infrastructure (PKI)3 certificates in\n         March and September 2005. PKI certificates will be needed in the future so employees\n         can use their identification cards to access computer systems; however, the IRS does not\n         expect to use the cards at this time. The Treasury informed us that the certificates the\n         IRS purchased had a 3-year lifespan; however, the IRS was unable to provide us with the\n         exact dates on which these certificates would expire.\n         Both the GSA and the Treasury have been developing separate PKI strategies. During\n         our last review, the Program Manager stated that the need for the HSPD-12 program to\n         comply with the Treasury PKI strategy was one of the reasons the IRS did not consider\n         earlier use of the GSA shared services provider for the purchase of identification cards.\n         To ensure consistency throughout the Federal Government and reduce the duplication of\n         effort in providing an effective PKI solution, we believe the Treasury should coordinate\n         with the GSA and possibly other agencies to determine the feasibility of developing one\n         PKI solution Governmentwide. The GSA has recently endorsed the vendor used by the\n         Treasury, which could make the transition easier than in prior years.\n    \xe2\x80\xa2    $837,616 spent in September 2005 to purchase 18 PKI servers that were never used for\n         the HSPD-12 program. We were advised that some of the servers have been used on a\n\n3\n PKI is an encryption system of digital certificates and other authorities that verify and authenticate the validity of\neach party involved in an electronic transaction.\n                                                                                                                Page 4\n\x0c                   Lack of Proper IRS Oversight of the Department of the Treasury\n                    HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                             Resources\n\n\n\n        very limited, intermittent basis for other IRS projects. It is clear, however, that the\n        servers were purchased prematurely and the funds could have been used more effectively.\n        The IRS Enterprise Life Cycle4 is divided into five milestones and requires the purchase\n        of hardware and software in the fourth milestone of a project. However, the program had\n        not yet exited the first milestone of the Enterprise Life Cycle at the time the servers were\n        purchased.\nThe Treasury HSPD-12 PMO also spent $710,813 that could have been avoided. These\nexpenditures included:\n    \xe2\x80\xa2   $431,035 spent from September 2006 through June 2007 to establish and maintain an\n        identification badge laboratory to create a test environment for issuing HSPD-12\n        identification badges. The laboratory included a computer for the initial processing of\n        employees, a credential verification system, and an identification card printer; however,\n        most of the costs were for contractor labor. The laboratory has been closed and deemed\n        unnecessary now that the Treasury is planning to use the GSA shared services provider\n        for card issuance. The PMO did not follow the Enterprise Life Cycle when purchasing\n        the lab equipment. Testing and piloting of new systems should occur during\n        development and integration, which take place in the fourth phase of the Enterprise Life\n        Cycle. The program had not exited the first milestone when the items were purchased.\n    \xe2\x80\xa2   $91,618 spent in Fiscal Year 2007 to reimburse the GSA for preparing a Request for\n        Procurement for acquiring another contractor\xe2\x80\x99s services. The purpose of the contract was\n        to assist the PMO in meeting the needs of the Treasury\xe2\x80\x99s own HSPD-12 identification\n        card system. The contract to provide these services was cancelled after the Treasury\n        decided to use the GSA shared services provider for all identification card services, and a\n        contractor was never selected. The PMO was aware that other options were available at\n        the time; the Request for Procurement was never used to solicit bids.\n    \xe2\x80\xa2   $188,160 paid to a contractor for 1 person to provide clerical support over an 11-month\n        period. The clerk was responsible for processing documents, maintaining and updating\n        the PMO contact list, assigning and tracking equipment, maintaining calendars and\n        meetings, and processing trip reports and was billed at $128 per hour. Similar duties\n        could have been provided to the PMO using resources already available at the IRS.\nWe attribute these unnecessary purchases to ineffective program management. The PMO did not\nfollow the IRS Enterprise Life Cycle and did not carry out its fiduciary responsibilities when\nmaking decisions to purchase hardware and software. A key official from the Modernization and\n\n\n4\n The Enterprise Life Cycle establishes a set of repeatable processes and a system of reviews, checkpoints, and\nmilestones that reduce the risks of system development and ensures alignment with the overall business strategy.\nAll IRS personnel and contractors involved in information technology efforts are required to follow the Enterprise\nLife Cycle. See Appendix V for additional details.\n                                                                                                            Page 5\n\x0c                     Lack of Proper IRS Oversight of the Department of the Treasury\n                      HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                               Resources\n\n\n\nInformation Technology Services organization informed us the IRS had worked hard to obtain\nfunding ($15 million) for Fiscal Year 2005 and believed the IRS needed to spend the funds by\nthe end of the fiscal year. We reviewed procurement documentation and found approximately\n90 percent of the program\xe2\x80\x99s Fiscal Year 2005 budget was obligated to contractors during the last\n2 months of Fiscal Year 2005. We consider these purchases to be an inefficient use of resources.\n\nStatements of work were incomplete, and the IRS paid contractors without\nverifying work was performed\nAccording to the Federal Acquisition Regulation,5 the Contracting Officer is responsible for\nensuring performance of all necessary actions for effective contracting and ensuring compliance\nwith the contract. In addition, the Contracting Officer is to ensure the contractor(s) receives\nimpartial, fair, and equitable treatment and request and consider the advice of specialists when\nappropriate. The Contracting Officer\xe2\x80\x99s Technical Representative is charged with (1) developing\nthe specifications on each statement of work in such a manner as to promote competitive\nprocurement actions and (2) monitoring the contractor\xe2\x80\x99s technical performance to ensure the\nperformance is strictly within the scope of the contract. Statements of work should clearly define\nthe scope of the work requested and list specific deliverables describing what is due and when it\nis due. Additional duties include coordinating with the project\xe2\x80\x99s program manager on issues\nrelated to funding and to changes in the scope of the work.\nThe PMO hired three contractors to assist in planning, developing, and implementing the\nrequirements of the HSPD-12 program. Each contractor was assigned responsibilities to meet\nprogram goals. Specifically:\n       \xe2\x80\xa2   Booz Allen Hamilton was hired to address stakeholder management, communications,\n           and program support.\n       \xe2\x80\xa2   MITRE was hired to coordinate the program management and business process\n           engineering.\n       \xe2\x80\xa2   Presidio was hired to conduct the technical support work for implementation.\nA separate Contracting Officer\xe2\x80\x99s Technical Representative was assigned to each contract.\nStatements of work for the MITRE contract were adequate; however, those for the other two\ncontracts were not well defined.\nTo set aside or obligate funds for the three contracts, the IRS issued task orders to the\ncontractors. Task orders were issued to both Presidio and MITRE specifically for work on the\nHSPD-12 program. However, the PMO used existing IRS contracts with Booz Allen Hamilton\nto perform work related to the program. Instead of issuing a separate task order along with a\nstatement of work to Booz Allen Hamilton, the PMO charged the HSPD-12 work to existing task\n\n5\n    48 C.F.R. ch. 1 (2006).\n                                                                                           Page 6\n\x0c\x0c\x0c                Lack of Proper IRS Oversight of the Department of the Treasury\n                 HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                          Resources\n\n\n\nRecommendations\nThe Chief, Agency Wide-Shared Services, should:\nRecommendation 1: Require that future task orders prepared by the HSPD-12 PMO clearly\nseparate tasks by function. Doing so will help each contractor understand the tasks and propose\nits solution and will enable the IRS to monitor the contractor\xe2\x80\x99s performance.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       HSPD-12 PMO has initiated a process to establish clear delineation of tasks by functional\n       area.\nRecommendation 2: Ensure Contracting Officer\xe2\x80\x99s Technical Representatives comply with\nprocedures that require sufficient supporting documentation for hours worked. The HSPD-12\nProgram Manager should also be required to provide written certification for labor hours worked\non contracts before any payments are made to contractors.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       HSPD-12 project manager has implemented a process that will ensure the PMO and the\n       Contracting Officer\xe2\x80\x99s Technical Representatives are in compliance with existing IRS\n       procedures for reviewing invoices prior to making payments to contractors.\nRecommendation 3: Ensure the HSPD-12 Program Manager maintains documentation\nsufficient to support all program costs and assigns costs to specific tasks in the work breakdown\nstructure.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       HSPD-12 PMO is now assigning planned costs, including labor hours, to project tasks.\n       The IRS will use software to track hours for Federal Government and contractor\n       employees for projected earned value and schedule analysis.\nThe Chief Information Officer should:\nRecommendation 4: Coordinate with the Treasury to evaluate the possibility of combining\nits PKI efforts with those of the GSA. Progress may be made for ensuring a consistent PKI\napproach throughout the Federal Government, and the duplication of effort could be reduced by\ntaking advantage of the lessons learned from both efforts.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       IRS will coordinate with the Treasury to evaluate the possibility of combining PKI efforts\n       with those of the GSA. The IRS is using the GSA-provided certificates for the HSPD-12\n       compliant Personal Identification Verification cards to be used by new and existing\n       employees and contractors.\n\n\n\n                                                                                           Page 9\n\x0c\x0c                Lack of Proper IRS Oversight of the Department of the Treasury\n                 HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                          Resources\n\n\n\nthe business cases for decision making and for monitoring progress of information technology\ninvestments.\nIRS procedures require preparation of a separate business case for any major information\ntechnology investment that:\n   \xe2\x80\xa2   Requires special management attention because of its importance to the mission or\n       function of the agency.\n   \xe2\x80\xa2   Presents significant program or policy implications.\n   \xe2\x80\xa2   Requires a total life cycle cost of more than $50 million.\n   \xe2\x80\xa2   Obligates annual expenditures of more than $5 million.\nThe HSPD-12 program meets all of the above criteria; however, the PMO did not submit a\nseparate business case for the program to the Bureau Advisory Board and the HSPD-12\nExecutive Steering Committee. Information pertaining to the program was consolidated into\nanother business case for Treasurywide infrastructure costs; therefore, the information could not\nbe used by the HSPD-12 governance committees in making business decisions for the program.\nThe decision to consolidate the HSPD-12 business case into a Treasurywide security\ninfrastructure business case was based on guidance received from the Treasury Capital Planning\nand Investment Control Office. This decision is clearly in conflict with the stated requirement\nfor preparation of a business case.\nAn internal business case for the program was prepared and submitted in October 2006 by the\nPMO but was never shared with the governance committees overseeing the program. In\naddition, the internal business case did not include the information normally required by the\nOffice of Management and Budget and the IRS. Specifically:\n   \xe2\x80\xa2   Three viable alternatives were not provided. The Office of Management and Budget\n       requires agencies to identify and consider at least three viable alternatives, in addition to\n       the chosen investment strategy. The analysis should include estimated costs for each\n       alternative. One alternative, which should have been provided, is the GSA shared\n       services provider. The cost savings that could have been achieved by choosing the\n       shared services provider would have been apparent if this alternative had been provided\n       to IRS and Treasury executives. The PMO informed us the costs for the shared services\n       provider were unknown at the time the business case was prepared. However, cost data\n       for the GSA provider were available. Specifically, the GSA notified agencies in\n       September 2006 that it would charge $110 for initial card issuance, plus $52 per card for\n       annual maintenance.\n   \xe2\x80\xa2   Actual costs were not provided, and the PMO did not compare actual costs and\n       deliverables with budgeted estimates. Analysis of variances between actual and budgeted\n       estimates should provide an early warning for determining whether an investment project\n       is performing on schedule and within budget. The Office of Management and Budget\n       requires agencies to report the cost and schedule performance of investments.\n                                                                                             Page 11\n\x0c\x0c\x0c                Lack of Proper IRS Oversight of the Department of the Treasury\n                 HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                          Resources\n\n\n\nrole to address these challenges and, specifically, to enforce use of the IRS Enterprise Life Cycle\nrequirements.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       IRS will continue to implement planned improvements in key management processes\n       through the continued rollout of program management initiatives. To enforce the use of\n       the Enterprise Life Cycle, the IRS will ensure project reporting templates, used by\n       projects at the assigned governance board, are updated to reflect project status and\n       compliance with the Enterprise Life Cycle. In addition, the IRS Program Governance\n       office will update executive steering committee charters to strengthen the committees\xe2\x80\x99\n       responsibilities.\n\n\n\n\n                                                                                           Page 14\n\x0c                  Lack of Proper IRS Oversight of the Department of the Treasury\n                   HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                            Resources\n\n\n\n                                                                                                Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess prior HSPD-12 program management activities\nand provide IRS executives with an independent perspective to assist them in future\nimplementation of the program. To accomplish this objective, we:\nI.      Identified and reviewed the requirements of HSPD-12 from the detailed guidance\n        established by Office of Management and Budget Memorandum 05-24, Implementation\n        of Homeland Security Presidential Directive\xe2\x80\x9312 (HSPD-12) Policy for a Common\n        Identification Standard for Federal Employees and Contractors (August 2005), and\n        Federal Information Processing Standard 201, Personal Identity Verification (PIV) of\n        Federal Employees and Contractors (February 2005).\nII.     Evaluated the governance process over the HSPD-12 program to determine whether the\n        funding decision was warranted and whether the executive steering committees provided\n        adequate oversight.\n        A. Reviewed the meeting minutes from the governance committees (the HSPD-12\n           Executive Steering Committee, Treasury Bureau Advisory Board, and Security and\n           Privacy Executive Steering Committee) that were overseeing the program.\n        B. Reviewed key program documents provided to the governance committees and\n           verified the accuracy and completeness of the documentation.\n        C. Determined whether procedures were followed in the approval of the program.\n        D. Evaluated the decision to move responsibility for the program from the\n           Modernization and Information Technology Services organization to the Mission\n           Assurance and Security Services organization in September 2005.\n        E. Reviewed the most current business case for the program.\nIII.    Determined whether the HSPD-12 PMO planned and carried out program tasks\n        effectively.\n        A. Reviewed the requirements matrix to determine whether key requirements in Federal\n           Information Processing Standard 201 were identified.\n        B. Reviewed the work breakdown structure1 for the program.\n\n\n1\n The work breakdown structure should identify what should be done, who will do it, how long it will take, and how\nmuch a program will cost. It should facilitate tracking of the program\xe2\x80\x99s deliverables, milestones, and costs.\n                                                                                                        Page 15\n\x0c                  Lack of Proper IRS Oversight of the Department of the Treasury\n                   HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                            Resources\n\n\n\n        C. Determined whether staffing levels were appropriate for the work scheduled and\n           performed and whether the program followed the IRS Enterprise Life Cycle2\n           methodology.\n        D. Determined whether the program met scheduled and budgeted goals and the\n           experience and qualifications of employees in the PMO.\nIV.     Determined whether the contracts used to deliver the HSPD-12 business solution were\n        appropriate.\n        A. Determined whether the appropriate types of contracts were used for the program.\n        B. Evaluated the terms of the contracts, including the statements of work, task orders,\n           and program deliverables such as status reports, and determined how much has been\n           and is obligated to be paid to the contractors.\nV.      Evaluated the process used by the HSPD-12 PMO to review and accept contract\n        deliverables.\n        A. Determined whether the PMO released funds based on accepted deliverables or based\n           on hours worked.\n        B. Interviewed the Contracting Officer\xe2\x80\x99s Technical Representatives and identified their\n           process for monitoring the contractors to ensure the contractors\xe2\x80\x99 work meets the\n           contracts\xe2\x80\x99 terms and requirements.\nVI.     Determined the total amount of funds possibly misspent on the HSPD-12 program. The\n        total funds should include all IRS and contractor labor costs and all hardware and\n        software costs.\n        A. Determined the total amount expended, committed, and obligated.\n        B. Evaluated the timing of the PMO\xe2\x80\x99s decision to scale back the program by adopting\n           the GSA shared services provider.\n        C. Compared the deliverables and work completed to the amounts spent and determined\n           the amounts misspent. We considered the possibility that the decision to forgo use of\n           the GSA shared services provider may not have been the only area of\n           mismanagement.3\n\n\n\n\n2\n See Appendix V for an overview of the Enterprise Life Cycle.\n3\n As identified in our prior report Progress Has Been Slow in Meeting Homeland Security Presidential Directive-12\nRequirements (Reference Number 2007-20-110, dated June 20, 2007).\n                                                                                                        Page 16\n\x0c               Lack of Proper IRS Oversight of the Department of the Treasury\n                HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                         Resources\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen R. Mullins, Director\nThomas Polsfoot, Audit Manager\nWilliam A. Gray, Senior Auditor\nLouis Lee, Senior Auditor\nThomas Nacinovich, Senior Auditor\nGlenn Rhoades, Senior Auditor\nStasha Smith, Senior Auditor\n\n\n\n\n                                                                                     Page 17\n\x0c              Lack of Proper IRS Oversight of the Department of the Treasury\n               HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                        Resources\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief, Agency-Wide Shared Services OS:A\nChief Information Officer OS:CIO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief, Agency-Wide Shared Services OS:A\n       Chief Information Officer OS:CIO\n\n\n\n\n                                                                       Page 18\n\x0c                    Lack of Proper IRS Oversight of the Department of the Treasury\n                     HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                              Resources\n\n\n\n                                                                                                     Appendix IV\n\n                                        Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Inefficient Use of Resources \xe2\x80\x93 Actual; $3.5 million (see page 4).\n\nMethodology Used to Measure the Reported Benefit:\nThe outcome measure is reported using actual contract amounts and support for arriving at the\namounts listed. The PMO made unnecessary purchases totaling approximately $3.5 million.\nThe following costs could have been avoided.\n    \xe2\x80\xa2    $1,940,397 spent to purchase 350,000 PKI1 certificates in March and September 2005.\n         PKI certificates will be needed in the future so employees can use their identification\n         cards to access computer systems; however, the IRS does not expect to use the cards at\n         this time. The certificates procured in 2005 will expire in 2008; as of August 2007, only\n         12 had been issued. Current renewal fees for 50,000 2-year certificates will cost the IRS\n         an additional $1.7 million.\n    \xe2\x80\xa2    $837,616 spent to purchase 18 PKI servers in September 2005 that were never used for\n         the HSPD-12 program. We were advised that some of the servers have been used on a\n         very limited, intermittent basis for other IRS projects. The servers are located at four\n         different locations and are inventoried and categorized as being used for \xe2\x80\x9cdevelopment.\xe2\x80\x9d\n         The IRS Enterprise Life Cycle2 is divided into five milestones and requires the purchase\n         of hardware and software in the fourth milestone of a project. However, the program had\n         not yet exited the first milestone of the Enterprise Life Cycle at the time the servers were\n         purchased.\n    \xe2\x80\xa2    $431,035 spent to establish an identification badge laboratory to create a test environment\n         for issuing HSPD-12 identification badges. The laboratory included a computer for the\n         initial processing of employees, a credential verification system, and an identification\n\n1\n  PKI is an encryption system of digital certificates and other authorities that verify and authenticate the validity of\neach party involved in an electronic transaction.\n2\n  The Enterprise Life Cycle is a proven set of best practices that enhance the chances for successfully managing\nchange in IRS business processes and systems. See Appendix V for additional details.\n                                                                                                                Page 19\n\x0c            Lack of Proper IRS Oversight of the Department of the Treasury\n             HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                      Resources\n\n\n\n    card printer. The laboratory has been closed and deemed unnecessary now that the\n    Department of the Treasury (the Treasury) is planning to use the GSA shared services\n    provider for card issuance. The PMO did not follow the Enterprise Life Cycle when\n    purchasing the lab equipment. Pilot programs are normally released during the fourth\n    milestone; the HSPD-12 program had not exited the first milestone when the items were\n    purchased.\n\xe2\x80\xa2   $91,618 spent in Fiscal Year 2007 to reimburse the GSA for preparing a Request for\n    Procurement for acquiring another contractor\xe2\x80\x99s services. The purpose of the contract was\n    to assist the PMO in meeting the needs of the Treasury\xe2\x80\x99s own HSPD-12 identification\n    card system. The contract to provide these services was cancelled after the Treasury\n    decided to use the GSA shared services provider for all identification card services, and a\n    contractor was never selected. The PMO was aware that other options were available at\n    the time; the Request for Procurement was never used to solicit bids.\n\xe2\x80\xa2   $188,160 paid to a contractor for 1 person to provide clerical support over an 11-month\n    period. The clerk was responsible for processing documents, maintaining and updating\n    the PMO contact list, assigning and tracking equipment, maintaining calendars and\n    meetings, and processing trip reports and was billed at $128 per hour. Similar duties\n    could have been provided to the PMO using resources already available at the IRS.\n\n\n\n\n                                                                                       Page 20\n\x0c                Lack of Proper IRS Oversight of the Department of the Treasury\n                 HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                          Resources\n\n\n\n                                                                                    Appendix V\n\n                    Enterprise Life Cycle Overview\n\nThe Enterprise Life Cycle defines the processes, products, techniques, roles, responsibilities,\npolicies, procedures, and standards associated with planning, executing, and managing business\nchange. It includes redesign of business processes; transformation of the organization; and\ndevelopment, integration, deployment, and maintenance of the related information technology\napplications and infrastructure. Its immediate focus is the IRS Business Systems Modernization\nprogram. Both the IRS and its contractors must follow the Enterprise Life Cycle in\ndeveloping/acquiring business solutions for modernization projects.\n\nLife-Cycle Processes\nThe life-cycle processes of the Enterprise Life Cycle are divided into the following six phases:\n   \xe2\x80\xa2   Vision and Strategy - This phase establishes the overall direction and priorities for\n       business change for the enterprise. It also identifies and prioritizes the business or system\n       areas for further analysis.\n   \xe2\x80\xa2   Architecture - This phase establishes the concept/vision, requirements, and design for a\n       particular business area or target system. It also defines the releases for the business area\n       or system.\n   \xe2\x80\xa2   Development - This phase includes the analysis, design, acquisition, modification,\n       construction, and testing of the components of a business solution. It also includes\n       routine, planned maintenance of applications.\n   \xe2\x80\xa2   Integration - This phase includes the integration, testing, piloting, and acceptance of a\n       release. In this phase, the integration team brings together individual work packages of\n       solution components developed or acquired separately during the Development phase.\n       Application and technical infrastructure components are tested to determine if they\n       interact properly. If appropriate, the team conducts a pilot to ensure all elements of the\n       business solution work together.\n   \xe2\x80\xa2   Deployment - This phase includes preparation and release of a system to actual sites.\n       During this phase, the deployment team puts the solution release into operation at target\n       sites.\n   \xe2\x80\xa2   Operations and Support - This phase addresses the ongoing operations and support of\n       the system. It begins after the business processes and system(s) have been installed and\n       have begun performing business functions. It encompasses all of the operations and\n\n                                                                                            Page 21\n\x0c                Lack of Proper IRS Oversight of the Department of the Treasury\n                 HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                          Resources\n\n\n\n       support processes necessary to deliver the services associated with managing all or part\n       of a computing environment.\n       The Operations and Support phase includes the scheduled activities (e.g., planned\n       maintenance, systems backup, and production output) as well as the nonscheduled\n       activities (e.g., problem resolution and service request delivery, including emergency\n       unplanned maintenance of applications). It also includes the support processes required\n       to keep the system up and running at the contractually specified level.\n\nManagement Processes\nIn addition to the life-cycle processes, the Enterprise Life Cycle addresses the various\nmanagement areas at the process level. The management areas include:\n   \xe2\x80\xa2   IRS Governance and Investment Decision Management - This area is responsible for\n       managing the overall direction of the IRS, determining where to invest, and managing the\n       investments over time.\n   \xe2\x80\xa2   Program Management and Project Management - This area is responsible for\n       organizing, planning, directing, and controlling the activities within the program and its\n       subordinate projects to achieve the objectives of the program and deliver the expected\n       business results.\n   \xe2\x80\xa2   Architectural Engineering/Development Coordination - This area is responsible for\n       managing the technical aspects of coordination across projects and disciplines, such as\n       managing interfaces, controlling architectural changes, ensuring architectural compliance,\n       maintaining standards, and resolving issues.\n   \xe2\x80\xa2   Management Support Processes - This area includes common management processes,\n       such as quality management and configuration management that operate across multiple\n       levels of management.\n\nMilestones\nThe Enterprise Life Cycle establishes a set of repeatable processes and a system of milestones,\ncheckpoints, and reviews that reduce the risks of system development, accelerate the delivery of\nbusiness solutions, and ensure alignment with the overall business strategy. The Enterprise Life\nCycle defines a series of milestones in the life-cycle processes. Milestones provide for\n\xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in the project and are sometimes associated with funding approval to\nproceed. They occur at natural breaks in the process where there is new information regarding\ncosts, benefits, and risks and where executive authority is necessary for next-phase expenditures.\nThere are five milestones during the project life cycle:\n\n\n\n                                                                                           Page 22\n\x0c            Lack of Proper IRS Oversight of the Department of the Treasury\n             HSPD-12 Initiative Resulted in Misuse of Federal Government\n                                      Resources\n\n\n\n\xe2\x80\xa2   Milestone 1 - Business Vision and Case for Action. In the activities leading up to\n    Milestone 1, executive leadership identifies the direction and priorities for IRS business\n    change. These guide which business areas and system development projects are funded\n    for further analysis. The primary decision at Milestone 1 is to select Business Systems\n    Modernization projects based on both the enterprise-level Vision and Strategy and the\n    enterprise architecture.\n\xe2\x80\xa2   Milestone 2 - Business Systems Concept and Preliminary Business Case. The\n    activities leading up to Milestone 2 establish the project concept, including requirements\n    and design elements, as a solution for a specific business area or business system. A\n    preliminary business case is also produced. The primary decision at Milestone 2 is to\n    approve the solution/system concept and associated plans for a modernization initiative\n    and to authorize funding for that solution.\n\xe2\x80\xa2   Milestone 3 - Business Systems Design and Baseline Business Case. In the activities\n    leading up to Milestone 3, the major components of the business solution are analyzed\n    and designed. A baseline business case is also produced. The primary decision at\n    Milestone 3 is to accept the logical system design and associated plans and to authorize\n    funding for development, test, and (if chosen) pilot of that solution.\n\xe2\x80\xa2   Milestone 4 - Business Systems Development and Enterprise Deployment Decision.\n    In the activities leading up to Milestone 4, the business solution is built. The Milestone 4\n    activities are separated by two checkpoints. Activities leading up to Milestone 4A\n    involve further requirements definition, production of the system\xe2\x80\x99s physical design, and\n    determination of the applicability of fixed-price contracting to complete system\n    development and deployment. To achieve Milestone 4B, the system is integrated with\n    other business systems and tested, piloted (usually), and prepared for deployment. The\n    primary decision at Milestone 4B is to authorize the release for enterprisewide\n    deployment and commit the necessary resources.\n\xe2\x80\xa2   Milestone 5 - Business Systems Deployment and Postdeployment Evaluation. In the\n    activities leading up to Milestone 5, the business solution is fully deployed, including\n    delivery of training on use and maintenance. The primary decision at Milestone 5 is to\n    authorize the release of performance-based compensation based on actual, measured\n    performance of the business system.\n\n\n\n\n                                                                                        Page 23\n\x0c\x0c\x0c  Lack of Proper IRS Oversight of the Department of the Treasury\n   HSPD-12 Initiative Resulted in Misuse of Federal Government\n                            Resources\n\n\n\n                                                   Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 26\n\x0cLack of Proper IRS Oversight of the Department of the Treasury\n HSPD-12 Initiative Resulted in Misuse of Federal Government\n                          Resources\n\n\n\n\n                                                         Page 27\n\x0cLack of Proper IRS Oversight of the Department of the Treasury\n HSPD-12 Initiative Resulted in Misuse of Federal Government\n                          Resources\n\n\n\n\n                                                         Page 28\n\x0cLack of Proper IRS Oversight of the Department of the Treasury\n HSPD-12 Initiative Resulted in Misuse of Federal Government\n                          Resources\n\n\n\n\n                                                         Page 29\n\x0cLack of Proper IRS Oversight of the Department of the Treasury\n HSPD-12 Initiative Resulted in Misuse of Federal Government\n                          Resources\n\n\n\n\n                                                         Page 30\n\x0cLack of Proper IRS Oversight of the Department of the Treasury\n HSPD-12 Initiative Resulted in Misuse of Federal Government\n                          Resources\n\n\n\n\n                                                         Page 31\n\x0cLack of Proper IRS Oversight of the Department of the Treasury\n HSPD-12 Initiative Resulted in Misuse of Federal Government\n                          Resources\n\n\n\n\n                                                         Page 32\n\x0c'